Blackworm
Blackworm is an Internet worm discovered on January 20, 2006 that infects several versions of Microsoft Windows. It is also known as Grew.a, Grew.b, Blackmal.e, Nyxem.e, Nyxem.d, Mywife.d, Tearec.a, CME-24, and Kama Sutra.
Blackworm spreads mainly by sending infected email attachments, but also infects other computers by copying itself over network shares. The virus removes antivirus programs from remote computers before attempting to infect them. When first installed, it copies itself to the Windows and system directories. It uses filenames that resemble those of legitimate Windows system files in an attempt to remain hidden. It activates on the third day of each month; the first known activation happened on February 3, 2006.[1][2] On activation, the virus overwrites data files of many common types, including Word, Excel, and PowerPoint documents; ZIP and RAR archives; and PDFs. It can destroy files on fixed and removable drives and tries, but fails, to affect data on network drives. It also attempts to disable antivirus programs by removing the registry entries that automatically run them and deleting the antivirus programs directly.
The virus visits a tracking Web page each time it infects a computer. Over 300,000 unique IPs visited that site,[3] suggesting that at least that many computers suffered infection. It is not known how many of them remained infected long enough to trigger the virus’s payload.
References
- Description of Blackworm from the Internet Storm Center
- LURHQ Threat Intelligence Group BlackWorm Hostile Payload Scheduled to Activate Feb 3
- Description of Blackworm from F-Secure
External links
- CME-24 (BlackWorm) Users’ FAQ
- Nyxem.E at Symantec - Detailed description of the Nyxem.E virus
- Nyxem.E at Microsoft - Microsoft description and detailed information on the Nyxem.E virus
- Nyxem.E at Kaspersky Labs - Nyxem.E detailed description and manual removal instructions
- How to remove Blackworm tutorial